The current technology allows programming and updating of software resident on remote electric and electronic devices. The application software and operating systems of ordinary household computers, PCs and laptops, are also constantly and periodically updated, either on the request of the user or automatically. Similarly it is common practice to update via the Internet firmware for the management of a wide range of electronic devices such as CD and DVD players, PlayStations, Internet connection routers, etc. This offers the users obvious advantages.
The possibility of updating remote devices is also an advantage for the manufacturers of the devices, for example they can distribute the devices equipped with software or firmware in a reduced version and enter the market in a much quicker timeframe than the one normally required to develop and test complete software. The end user can then acquire, free of charge or by payment, the updated and most advanced versions of the software or firmware. The end user can also be certain that the product acquired is maintained and that any future software problems can be tackled and solved. Furthermore, the manufacturer will have the advantage that it can correct software and/or firmware defects which are inevitably present in the first versions marketed.
The development of technology and connectivity between electronic equipment, processors, network servers etc. has considerably widened the possibility of connecting any device to a system, for example a company server, to download new or updated software. On-line updating is available in an increasing number of situations, both free of charge and by payment, for example in the form of an annual subscription. Operating systems for personal computers, antivirus programs and application software for computers are some of the commonest examples.
In the industrial and production sector, situations can occur in which a company requires an external supply to compensate for internal deficiencies or limits, for example a limited production capacity or simply an organization policy whereby some parts or equipment are produced by outside companies. In all these cases there is a need to exchange confidential information (wiring diagrams, assembly plans, mechanical drawings, firmware etc.). Legal tools, such as NDA (Non-Disclosure Agreements) do not always provide adequate protection of the company's proprietary know-how. Furthermore, if production is outsourced to third parties, there is always the risk of an over-production intended for the parallel market with consequent economic losses, which can be considerable, for the company owning the know-how and the intellectual property.
FIGS. 1 and 2 show schematically two possible connection systems of a remote device to a server of a manufacturing company, for example in order to program or update the files of said device.
More specifically, FIG. 1 shows a functional diagram of a system in which a generic device 1, for example an electronic device or electronic equipment, with software or firmware on board, connects via the Internet I to a company server 3 to autonomously download an update resident in the company server 3. The latter is connected to a database containing sensitive data indicated by 5 and to a firmware or software archive indicated by 7.
Instead of a direct connection of the device 1 to the server 3 via the Internet I, an indirect connection can be provided via a local computer, for example a PC or a laptop to which the device 1 is connected and which is in turn connected to the Internet I. In this case it is the local computer that establishes the connection and downloads the software or firmware in order to then update the device 1. In this case the computer can be physically connected (by means of wired or wireless connection or in another way) to the device to be updated, or the connection can be provided manually, i.e. the updated software/firmware can be downloaded via the computer from the Internet I and then passed to the device to be updated by means of a memory support, for example a flash memory, a DVD, a CD or other support.
A system devised as in FIG. 1 is without protection and an attack on the company server 3 would endanger the sensitive data.
To avoid this circumstance, an architecture of the type schematically illustrated in FIG. 2 is usually provided: the device 1 connects to a public server (web server) 11 which has access to a database containing non-sensitive data, indicated generically by 13. The company server, again indicated by 3, is connected to the database 5 containing the sensitive data and to the software or firmware archive 7, which must be protected from the outside. This protection is provided by a firewall 15 which prevents direct access to the company server 3 by an external device, whether it is a generic device in the field which requires an update or downloading of software/firmware or whether it is a computer in turn connected or connectable to the device to be updated.
In this way the device or the external user has access only to the area indicated as DMZ (in jargon DeMilitarized Zone) via which he can access, for example, a series of company services, but he cannot access in an uncontrolled manner the area containing the sensitive data, the software/firmware and in general the know-how of the company that owns the server.
Other techniques exist for the protection of sensitive data in a situation in which an external user can request access, via the Internet or another non-protected connection, to a company server, for example NAT (Network Address Translation) technology.
To protect the information content of firmware or software in transit through a non-protected channel, for example via the Internet or by e-mail, the firmware or software is encrypted to make it unrecognizable to a third party. Currently there are a large number of encryption techniques of various types. All the encryption techniques are based on the use of at least one encoding or encrypting key, called master key, or a plurality of said keys, which remain secret and typically possess the parts which, within an information management system, are responsible for encrypting and decrypting the software or firmware. The encryption algorithm is based on the intrinsic difficulty of recovering the original information (the program code before encryption) starting from the encrypted information without knowing the encryption key or keys.
In the case of devices in the field to be updated, the encryption key or keys must reside in the bootloader, i.e. in the program responsible for starting the functions of the device every time said device is switched on. This is necessary since the bootloader is the only program able to update the device and therefore requires knowledge of the encryption key or keys to decrypt the updated software or firmware which is downloaded or in any case supplied to the device.
In traditional systems there are various vulnerable points which can constitute security holes in the transmission systems of encrypted codes or software/firmware:                the source codes, i.e. the non-encrypted software or firmware, are available also to non-authorized persons and in any case the person who writes the code knows the encryption keys. Unscrupulous personnel could steal this information and use it for themselves or pass it on to non-authorized subjects;        the bootloader in executable format (binary code) is necessarily written in plain text because otherwise it would not be functional for the microcontroller that has to use it. This non-encrypted code is also available outside the company that owns the software to be protected, for example it can be supplied to third-party companies to whom production of the devices is outsourced, or it can be present in non-secure production sites, for example delocalized with respect to the headquarters of the know-how owner company;        the binary code of the decrypting program necessary for integrally reprogramming the device with the code in plain text. Normally this information is possessed only by the know-how owner company and is intended for internal use only. Supply of this information to technicians for intervention in the field, for example at the premises of a client, would expose the company to the risk of loss of confidential information.        
To reduce the risk arising from the third factor listed above, software exists which provides a conversion application program that is difficult to decrypt. The other two sources of risk cannot currently be effectively neutralized.
In short, in the scenario briefly outlined above, multiple problems can occur, including:                guaranteeing that the device to be updated is a device authorized to obtain the update, for example a device for which the update fee has been duly paid, or that it is an original device of the manufacturer which makes its software updates available;        guaranteeing correct correspondence between the software/firmware downloaded and the device on which it is installed;        preventing interception of transmission of an updating software or firmware by a non-authorized third party, which could make fraudulent use of it;        preventing a non-authorized update from being installed on a device;        allowing the end user efficient updating of his software/firmware, at the same time protecting the manufacturer's confidential information;        guaranteeing that a third party manufacturer, to whom the production of certain articles has been outsourced, produces the number and type of articles permitted and not others;        tracking the products distributed for the purposes of maintenance or servicing in general.        